How to check permissions of a non sudoers user with full root access?

Question

doas is a sudo-like command recently packaged in Debian 12, Ubuntu Jammy (universe) and some other Linux distros.

A non sudoers user (doasuser) can be added to /etc/doas.conf to be granted root access. Detailed instructions on Debian Wiki.

Problem:

The doasuser isn't a member of any group. If you grant root access to doasuser, this information isn't synchronized with sudo (seen as unprivileged user). doas only comes with a binary program, a PAM configuration file and /etc/doas.conf.

Apart from /etc/doas.conf, a superuser can't find the permissions of the doasuser.

Is there any command line to check the permissions of doasuser?

Answer 1

doas doesn’t provide a command to list all the privileges it grants to a given user; all you can do is check whether a given command is permitted for the current user:

doas -C /etc/doas.conf some command

will tell you if, given the settings in /etc/doas.conf, the current user would be allowed to run some command (and whether or not the user would be asked for a password to do so).

From the perspective of a “superuser”, this means that you’d need to switch to the doasuser’s identity, then run doas -C as above to check the privileges.

sudo and doas are separate tools, so it’s not surprising that sudo isn’t aware of doas configuration (and vice versa). You should really only use one on any given system.

Answer 2

As far as I understood this question, there is a program named doas which can be used similar to sudo. The simple command that can be used to check if a user has root privileges is the following (in shell scripting):

if [ "$(id -u)" != "0" ]; then
    # the user is not root
fi

The same above command can be used both for sudo, or doas.

Explanation: id is a command which is used to print real and effective user and group IDs; specifically, id -u prints only the effective user ID. If the user has root permissions, their effective ID will be 0.